Skip to content

oidc: allow setting redirect server port#1768

Merged
jku merged 2 commits into
sigstore:mainfrom
antonio-mazzini:feat/oidc-redirect-port
May 14, 2026
Merged

oidc: allow setting redirect server port#1768
jku merged 2 commits into
sigstore:mainfrom
antonio-mazzini:feat/oidc-redirect-port

Conversation

@antonio-mazzini
Copy link
Copy Markdown
Contributor

@antonio-mazzini antonio-mazzini commented May 8, 2026

Summary

Adds an optional redirect_port argument to Issuer.identity_token
so callers can bind the local OAuth redirect server to a fixed port
instead of always using an ephemeral one.

Some enterprise OIDC providers (and Microsoft Entra ID under certain
configurations) require a pre-registered redirect URI and do not allow
wildcards on localhost ports, which currently blocks sigstore-python
from being used in those environments. cosign already exposes a
--oidc-redirect-url flag that solves the same problem on the CLI side.

The default of 0 preserves the existing behaviour (OS-assigned port).

Closes #1029

Test plan

  • make lint — ruff/mypy/bandit/interrogate green
  • pytest test/unit — 177 passed, no regressions
  • New unit test test_identity_token_passes_redirect_port verifies
    the parameter is forwarded to the OAuth flow

@antonio-mazzini
oidc: allow setting redirect server port
bc46032 
Add a redirect_port parameter to Issuer.identity_token so callers can
bind the local OAuth redirect server to a fixed port. Useful for OIDC
providers that require a pre-registered redirect URI without localhost
port wildcards.

Closes sigstore#1029

Signed-off-by: Antonio Mazzini <antoniomazzini55@gmail.com>
@jku
Copy link
Copy Markdown
Member

jku commented May 13, 2026

/gcbrun

jku
jku approved these changes May 13, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@jku jku left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems reasonable to me.

The default values in _OAuthRedirectServer and _OAuthFlow look unnecessary since we always provide a value but that seems like a nitpick.

@jku jku mentioned this pull request May 13, 2026
Open
woodruffw
woodruffw approved these changes May 13, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@woodruffw woodruffw left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM as well 🙂

@jku jku merged commit 2ff4c01 into sigstore:main May 14, 2026
54 of 56 checks passed
@jku
Copy link
Copy Markdown
Member

jku commented May 14, 2026

Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jku jku jku approved these changes

@woodruffw woodruffw woodruffw approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Allow setting of redirect uri port

3 participants

@antonio-mazzini @jku @woodruffw